* Support rotating secrets using Lambda
The Secrets manager rotation process uses an AWS Lambda function
to perform the rotation of a secret. [1]
In fact, it's not possible to trigger rotation of a Secret
without specifying a Lambda function at some point in the life
of the secret:
```
$ aws secretsmanager rotate-secret --secret-id /rotationTest
An error occurred (InvalidRequestException) when calling the RotateSecret operation: No Lambda rotation function ARN is associated with this secret.
```
`moto` can be a little more lenient in this regard and allow
`rotate_secret` to be called without a Lambda function being
present, if only to allow simulation of the `AWSCURRENT` and
`AWSPREVIOUS` labels moving across versions.
However, if a lambda function _has_ been specified when calling
`rotate_secret`, it should be invoked therefore providing the
developer with the full multi-stage process [3] which can be
used to test the Lambda function itself and ensuring that full
end-to-end testing is performed. Without this there's no easy
way to configure the Secret in the state needed to provide the
Lambda function with the data in the format it needs to be in
at each step of the invocation process.
[1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html
[2]: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.rotate_secret
[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html#rotation-explanation-of-steps
* Run `black` over `secretsmanager/models.py`
* Make `lambda_backends` import local to the condition
* Implement `update_secret_version_stage`
Allow a staging label to be moved across versions.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.update_secret_version_stage
* Add an integration test for Secrets Manager & Lambda
* Support passing `ClientRequestToken` to `put_secret_value`
By passing `ClientRequestToken` to `put_secret_value` within
the lambda function invoked by calling `rotate_secret`, one
can update the value associated with the existing (pending)
version, without causing a new secret version to be created.
* Add application logic for `AWSPENDING`
The rotation function must end with the versions of the secret
in one of two states:
- The `AWSPENDING` and `AWSCURRENT` staging labels are
attached to the same version of the secret, or
- The `AWSPENDING` staging label is not attached to any
version of the secret.
If the `AWSPENDING` staging label is present but not attached
to the same version as `AWSCURRENT` then any later invocation
of RotateSecret assumes that a previous rotation request is
still in progress and returns an error.
* Update `default_version_id` after Lambda rotation concludes
Call `set_default_version_id` directly, rather than going
through `reset_default_version` as the Lambda function is
responsible for moving the version labels around, not `rotate_secret`.
* Run `black` over changed files
* Fix Python 2.7 compatibility
* Add additional test coverage for Secrets Manager
* Fix bug found by tests
AWSPENDING + AWSCURRENT check wasn't using `version_stages`.
Also tidy up the AWSCURRENT moving in `update_secret_version_stage`
to remove AWSPREVIOUS it from the new stage.
* Run `black` over changed files
* Add additional `rotate_secret` tests
* Skip `test_rotate_secret_lambda_invocations` in test server mode
* Add test for invalid Lambda ARN
`secretsmanager:DescribeSecret` returns `VersionIdsToStages`
`secretsmanager:ListSecrets` returns the same information in `SecretVersionsToStages`
* Verified fix against real AWS backend.
Fixes#3406
* SecretsManager - handle missing secrets versions
The get_secret_value method should raise ResourceNotFoundException
if a secret exists but the provided VersionId does not.
* Run black
* 2.x support
* black fix?
* secret is not a dict. Fix error msg output.
* Feature: Support --filters opton in secretsmanager:ListSecrets
* Implement some of the secret filters
* Check listSecrets filters combine with an implicit AND operator
* Test all filter and multi-value filter and multi-word filter
* Fix matcher behavior, restructure code
* Implement remaining listSecrets filter cases
* Linter fixes
* Use contains-in-any-order assertions for test_list_secrets
* Linter fix again
* Attempt Python 2 fix for assert_items_equal
* Remove docstrings from test_list_secrets tests as they make the test reports weird
* Test and handle listSecrets filter with no values
* Fix: SecretsManager - Added missing pop() override to get_secret_name_from_arn (#3056)
* Added test case for delete_secret_force_with_arn (#3057)
* Fixed lint for test_delete_secret_force_with_arn (#3057)
The support in this patch is preliminary and may or may not be feature complete.
It provides the basic support for update_secret so that future work can build
on it as needed.
* initial work
- adding put_secret_value and list_secret_versions
* Added support for versions in all functions except rotate_secret
* more work
- refactor rotate_secret method
- now, adds a new version of the secret and points default version id to it
- updated implementation coverage readme
- element in list check to fix unit test
- fixed linting errors
- added tests, fixed exception, failing tests still
- secrets_manager/test_server fails when running whole suite,
but not when running that individual test file
* fixed failing test_get_secret_value
* Removed test.py. Fixed condition statement.
* fixed default stages + adding AWSPREVIOUS
* remove old AWSPREVIOUS stages
- Add standalone unit test to verify that rotation is enabled and the
rotation interval is correct.
- Add server test to verify that rotation is enabled and the rotation
interval is correct. Commented out until nested dict error is sorted.
- Fix incorrectly asserted message strings.
